Cyberon Security https://cyberonsecurity.com/no/ Protecting your business and your people Wed, 11 Sep 2019 11:48:47 +0000 nb-NO hourly 1 https://wordpress.org/?v=5.2.3 Microsoft Office’s Excel Attack Vector https://cyberonsecurity.com/no/2019/09/11/microsoft-offices-excel-attack-vector/ https://cyberonsecurity.com/no/2019/09/11/microsoft-offices-excel-attack-vector/#respond Wed, 11 Sep 2019 11:48:47 +0000 https://cyberonsecurity.com/2019/09/11/microsoft-offices-excel-attack-vector/ SYSTEMS AFFECTED Microsoft Office 2016 and older: Excel running Power Query THREAT LEVEL High OVERVIEW Microsoft Excel called Power Query to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query. A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited […]

The post Microsoft Office’s Excel Attack Vector appeared first on Cyberon Security.

]]>
SYSTEMS AFFECTED

Microsoft Office 2016 and older:

  • Excel running Power Query

THREAT LEVEL

High

OVERVIEW

Microsoft Excel called Power Query to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query.

A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability last month.

DESCRIPTION

A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability Thursday.

The exploitable feature in Excel, called Power Query, allows users to embed outside data sources such as external databases or web-based data into a spreadsheet. Mimecast threat center have developed a technique to launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet, deliver a malicious payload and actively control the payload via Power Query. researchers say in older versions of Microsoft Excel 2010 the payload is automatically executed, no user interaction needed.

IMPACT

Successful exploitation of the DDE feature could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, such as unauthorised installation of programmes, creating rogue administrator accounts, and being able to view, change, or delete data.

SOLUTION

Microsoft has published an advisory (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440) on mitigation measures for DDE-related attacks. Users are recommended to apply the mitigation measures immediately.

REFERENCE

  1. https://threatpost.com/microsoft-excel-attack-vector/146062/
  2. https://www.mimecast.com/blog/2019/06/exploit-using-microsoft-excel-power-query-for-remote-dde-execution-discovered/
  3. https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440
  4. https://www.csa.gov.sg/singcert/news/advisories-alerts/microsoft-office-excel-attack-vector

CREDITS

The Mimecast Threat Center

DISCLAIMER

The information provided herein is on “as is” basis, without warranty of any kind.

The post Microsoft Office’s Excel Attack Vector appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/no/2019/09/11/microsoft-offices-excel-attack-vector/feed/ 0
Android Patches 33 New Security Vulnerabilities https://cyberonsecurity.com/no/2019/09/11/android-patches-33-new-security-vulnerabilities/ https://cyberonsecurity.com/no/2019/09/11/android-patches-33-new-security-vulnerabilities/#respond Wed, 11 Sep 2019 11:46:46 +0000 https://cyberonsecurity.com/2019/09/11/android-patches-33-new-security-vulnerabilities/ SYSTEMS AFFECTED Android devices THREAT LEVEL High OVERVIEW Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity. DESCRIPTION This bulletin has two security patch levels. At the basic […]

The post Android Patches 33 New Security Vulnerabilities appeared first on Cyberon Security.

]]>
SYSTEMS AFFECTED
  • Android devices

THREAT LEVEL

  • High

OVERVIEW

Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity.

DESCRIPTION

This bulletin has two security patch levels. At the basic 2019-07-01 level, 12 bugs are addressed.

  • Five remote code execution vulnerabilities.
  • Three (CVE-2019-2106, CVE-2019-2107, CVE-2019-2100) in the Android media framework.
  • CVE-2019-2105 is in Android Library
  • CVE-2019-2105 is found in the System.

All would be triggered by opening a specially-crafted file.

  • CVE-2019-2104 in Framework
  • CVE-2019-2116, CVE-2019-2117, CVE-2019-2118 and CVE-2019-2119 in System are for information disclosure bugs.
  • CVE-2019-2112, CVE-2019-2113 are elevation of privilege vulnerabilities.
  • Ten of the closed-source component CVEs were for issues rated as High security risks. this means things like elevation of privilege and information disclosure flaws.
  • Another three were classified as critical, means a remote code execution vulnerability that requires little to no user interaction to exploit.
  • CVE-2019-2308 in DSP Services and CVE-2019-2330 in Kernel were classified as critical.
  • The other six were labeled high severity and were found in WLAN Host

(CVE-2019-2276, CVE-2019-2307), WLAN Driver (CVE-2019-2305), HLOS (CVE-2019-2278), and Audio (CVE-2019-2326, CVE- 2019-2328).

IMPACT

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

SOLUTION

Check and update your android version

REFERENCE

  1. https://source.android.com/security/bulletin/2019-07-01
  2. https://www.bleepingcomputer.com/news/security/july-android-security-update-fixes-four-critical-rce-flaws/
  3. https://www.theregister.co.uk/2019/07/01/july_android_fixes/
  4. https://thehackernews.com/2019/07/android-security-update.html

CREDITS

@Android

DISCLAIMER

The information provided herein is on “as is” basis, without warranty of any kind.

The post Android Patches 33 New Security Vulnerabilities appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/no/2019/09/11/android-patches-33-new-security-vulnerabilities/feed/ 0
Ransomware attacks via RDP on the rise https://cyberonsecurity.com/no/2019/09/11/ransomware-attacks-via-rdp-on-the-rise/ https://cyberonsecurity.com/no/2019/09/11/ransomware-attacks-via-rdp-on-the-rise/#respond Wed, 11 Sep 2019 11:44:59 +0000 https://cyberonsecurity.com/2019/09/11/ransomware-attacks-via-rdp-on-the-rise/ Remote Desktop Protocol (RDP) RDP stands for Remote Desktop Protocol, which is a proprietary network protocol developed by Microsoft in the 90s, which can be used to login to a system remotely and control the resources and data of the system as a remote administration tool. And is being used by the cyber attackers as a primary attack vector […]

The post Ransomware attacks via RDP on the rise appeared first on Cyberon Security.

]]>
Remote Desktop Protocol (RDP)

RDP stands for Remote Desktop Protocol, which is a proprietary network protocol developed by Microsoft in the 90s, which can be used to login to a system remotely and control the resources and data of the system as a remote administration tool. And is being used by the cyber attackers as a primary attack vector to exploit windows systems and spread ransomware.  

How you get infected

In order to authenticate users to establish the remote desktop connection a username and a password should be provided. So, vulnerabilities like

  • weak passwords,
  • outdated versions of RDP
  • Allowing unlimited login attempts to users
  • Allowing unrestricted access to the default RDP port (TCP 3389) will attract cyber attackers and sooner or later.

An attacker will also use social engineering techniques such as phishing and you will be tricked to download and open office documents in macro enabled mode or user will be tricked to install a trojan.  

Threats

  • CryptON also known as Nemesis or X3M ransomware targets Windows servers and uses RDP brute-forcing to gain access. An attacker will manually launch the ransomware inside the system after gaining the access. It will encrypt all types of files excluding C:Windows, C:Program Files, and the user profile folder to avoid impacting the boot operation. And they keep producing new versions like Cry9 in 4/4/2017, Cry128 in 5/1/2017.
  • Crisis ransomware uses the same brute-forcing and dictionary-based techniques through open RDP ports and also malicious spam emails and trojans. When a system is infected, it will encrypt all the files on fixed, removable and network storages except system files and files related to the ransomware and modify the registry logs.
  • Samsam ransomware also uses RDP to exploit systems. In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection. [3]
  • Stolen RDP credentials will be sold in the deep dark web.

And these cyber criminals will demand you a ransom in bitcoins as payments for the decryption and there is no guarantee that paying the ransom will give your data back. 

How to protect your RDP

  • Public IP’s of cloud-based instances should not have open RDP ports especially port 3389 and if you must have it place it behind a firewall and access it using a Virtual Private Network (VPN) through the firewall.
  • make sure all your RDP hosts are enforcing Network Layer Authentication (NLA) so attackers can’t get a full GUI windows connection until they provide credentials.
  • Disable the service if you don’t use it [2] or never skip the security patches and software updates regularly so you can detect malicious activities.
  • To defend against brute-force and dictionary attacks enable strong passwords, two factor authentication and account lockout policies. 
  • Limit access to specific IP’s [4] and change the RDP port [5], so port scanners looking for open RDP ports won’t see you.
  • Keep logs about RDP logins and review them regularly.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Do not expose critical network devices of your organization to public and reduce it as much as possible and they must not have RDP enabled.
  • Always keep backups of your critical data.
  • You can use Remote Desktop Gateway (RDG), which is encrypted using SSL too [6]. And implementing a 2-factor authentication solution is highly recommended, regardless of whether you use RDG or a VPN to mitigate brute-forcing.

References

  1. https://www.ic3.gov/media/2018/180927.aspx
  2. https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/
  3. https://www.cyber.nj.gov/threat-profiles/ransomware-variants/
  4. https://support.managed.com/kb/a2499/restrict-rdp-access-by-ip-address.aspx
  5. https://tunecomp.net/change-remote-desktop-port-windows-10/
  6. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd983941(v=ws.10)

The post Ransomware attacks via RDP on the rise appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/no/2019/09/11/ransomware-attacks-via-rdp-on-the-rise/feed/ 0
Hvordan sette opp RD Gateway for Windows Server 2008 R2 https://cyberonsecurity.com/no/2019/07/04/hvordan-sette-opp-rd-gateway-for-windows-server-2008-r2/ https://cyberonsecurity.com/no/2019/07/04/hvordan-sette-opp-rd-gateway-for-windows-server-2008-r2/#respond Thu, 04 Jul 2019 10:54:46 +0000 https://cyberonsecurity.com/2019/07/04/hvordan-sette-opp-rd-gateway-for-windows-server-2008-r2/ Funksjonen til en RD Gateway En Remote Dekstop Gateway fungerer som en port hvor eksterne RDP tilkoblinger må gjennom for å aksessere Remote Desktop serveren. Ved å bruke en RD Gateway så sikres Remote Desktop serveren fra potensielle angrep og sårbarheter. Med en RD Gateway installert, så kan du gi klienter adressen eller DNS navnet […]

The post Hvordan sette opp RD Gateway for Windows Server 2008 R2 appeared first on Cyberon Security.

]]>
Funksjonen til en RD Gateway

En Remote Dekstop Gateway fungerer som en port hvor eksterne RDP tilkoblinger må gjennom for å aksessere Remote Desktop serveren. Ved å bruke en RD Gateway så sikres Remote Desktop serveren fra potensielle angrep og sårbarheter. Med en RD Gateway installert, så kan du gi klienter adressen eller DNS navnet til gateway serveren for å koble seg til. Du kan også lage grupper av servere og kun tillate enkelte brukere tilgang til gitte servere.

Hvordan installere en RD Gateway tjeneste på en Windows 2008 R2 Server

  1. Installer Remote Desktop Gateway rolle tjenesten via Server Manager. Du vil trenge å installere Remote Desktop tjeneste rollen først.
  2. Når Remote Desktop Gateway rolle tjenesten er installert, kjør Remote Desktop Gateway Manager.
  3. Gå til policies og lag «Connection Authorization Policy». Dette er hvor du definerer hvem som har tillatelse til å logge på RD Gateway.
  4. Gå til Policies og lag “Resource Authorization Policy”. Dette er hvor du definerer hvilke ressurser som kan bli aksessert via RD Gateway og av hvem. NB: Navnet og IP adressen du setter her vil bli brukt av klientene når de skal koble seg til med RD klienten. Hvis du for eksempel definerer «MYSERVER» i regelen og brukerne skriver inn «MYSERVER.domain.local» i RD klienten, så vil tilkoblingen feile.
  5. Høyreklikk på RD Gateway servernavnet og velg Egenskaper. Vinduet som kommer opp gir deg flere valg men standard innstillingene holder. Men du trenger å gå inn i «SSL Certificate» fanen og installere et sertifikat.
  6. Godkjenn/videresend TCP Port 443 (SSL porten) på din brannmur til RD Gateway serveren.
Seerver SSL sert

Konfigurasjon av den lokale RDP klienten

Steg 1
Steg 2

Se også vår guide på hvordan du konfigurerer RD Gateway for Windows 2016 Server

Referanser

  1. https://turbofuture.com/computers/What-is-Remote-Desktop-Gateway-and-how-to-install
  2. https://www.vkernel.ro/blog/configuring-windows-server-2008-r2-rd-gateway-for-external-access

The post Hvordan sette opp RD Gateway for Windows Server 2008 R2 appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/no/2019/07/04/hvordan-sette-opp-rd-gateway-for-windows-server-2008-r2/feed/ 0